Please ask questions only in this topic.

[brendanbeals]

i have seen the source of m********.c**, but i do not know how to reverse engineer v****k*y() function?? Please help!

[eljonto]

Please help me "sigh"

Ok so I found the cgi query system and first tried using XSS, didn't work, so then i read up a little and found out about poison null bytes. Ok so what I need to do obviously is list the files within the parent directory.
I've tried

[Spoiler removed]

I have no idea wtf I'm doing and I can't really find a good explanation and the ones that I've seen, is exactly what I'm doing so I don't know what I'm doing =/

ok, go to the news section and click on a link, the url should look like: http://www.hackthissite.org/missions/re ... gi?story=1
ok, try changing the story value, what happens? what happens when you enter an invalid story value? error message can help. After analysing these, ask yourself how the script gets the storys, it takes the value of story and does what to it? So if you were to try and open another file or directory on the server, you'd need to stop the script adding a little something on and that's where the poison null byte comes in handy.... I really can't go any further without spoiling the exploit completely, so i'll leave it to you to mess around with it for a while

-- Tue Sep 08, 2009 7:40 pm --

i have seen the source of m********.c**, but i do not know how to reverse engineer v****k*y() function?? Please help!

This is easier than it looks, if you have perl installed, simply copy the functions into your own .pl file- modify it a little so you can input values and see the output, then just enter values until you get a key within the correct range. If you don't want to use perl (foolish choice ) then just look at what the script chnages the characters to, look at the calculations performed on the characters and recreate this in another language of your choice and then do the same as i mentioned for perl.

Side note, if you are going to use perl for this, make sure you chomp() you input, otherwise an annoying newline character will screw up you key values

[old_grizzly]

Please help me "sigh"

Ok so I found the cgi query system and first tried using XSS, didn't work, so then i read up a little and found out about poison null bytes. Ok so what I need to do obviously is list the files within the parent directory.
I've tried

[Spoiler removed]

I have no idea wtf I'm doing and I can't really find a good explanation and the ones that I've seen, is exactly what I'm doing so I don't know what I'm doing =/

ok, go to the news section and click on a link, the url should look like: http://www.hackthissite.org/missions/re ... gi?story=1
ok, try changing the story value, what happens? what happens when you enter an invalid story value? error message can help. After analysing these, ask yourself how the script gets the storys, it takes the value of story and does what to it? So if you were to try and open another file or directory on the server, you'd need to stop the script adding a little something on and that's where the poison null byte comes in handy.... I really can't go any further without spoiling the exploit completely, so i'll leave it to you to mess around with it for a while

-- Tue Sep 08, 2009 7:40 pm --

i have seen the source of m********.c**, but i do not know how to reverse engineer v****k*y() function?? Please help!

This is easier than it looks, if you have perl installed, simply copy the functions into your own .pl file- modify it a little so you can input values and see the output, then just enter values until you get a key within the correct range. If you don't want to use perl (foolish choice ) then just look at what the script chnages the characters to, look at the calculations performed on the characters and recreate this in another language of your choice and then do the same as i mentioned for perl.

Side note, if you are going to use perl for this, make sure you chomp() you input, otherwise an annoying newline character will screw up you key values

Gday.

Any good pointers or examples for perl. Have been fooling around with strawberry for days playing with the code found in m********.cg*. and no luck. Is perl the only way or is there some php xss we could try. an example would be great.

Thanks

old_grizzly

[HoleSystem]

I have seen the source of m********.c** and i reverse engineered v****k*y() function. Got valid key. Got hint for final step
and logged in as admin.

[elcheapo]

Guys, after getting the null byte tips, I went up to the m**.c** and found the v*** function. Reverse engineering it was the most fun part. =) My little python script gets a valid key in less than a minutes. Here is how I did it.
Lets say a key is abcd [a,b,c,d represents some variable ascii value]
now, sum0 = s0 = 0
s1 = a + s0 * 0 + s0 = a + s0 * (0 + 1) = a
s2 = b + s1 * 1 + s1 = b + s1 * (1 + 1) = b + (a) * (2) = b + 2 * a
s3 = c + s2 * 2 + s2 = c + s2 * (2 + 1) = c + (b + 2 * a) * (3) = c + 3 * (b + 2 * a)
s4 = d + s3 * 3 + s3 = d + s3 * (3 + 1) = d + (c + 3 * (b + 2 * a)) * (4) = d + 4 * (c + 3 * (b + 2 * a))

So, s4 is our final sum which must be such that:
some_lower_value < s4 < some_higher_value
This values are defined in the script.


#### First step: ####
Clearly, s4 is the information we have. Now we need to derive to a key from s4.
Now we step back:
d + 4 * (c + 3 * (b + 2 * a)) == s4
=> 4 * (c + 3 * (b + 2 * a)) == s4 - d
=> c + 3 * (b + 2 * a) == (s4 - d) / 4
Since 'c', 'b', 'a' all have discrete ascii values, Left Hand Side (L.H.S.) is an integer expression. To be L.H.S. == R.H.S. we need the R.H.S. to be an integer expression too! And that's the trick B). You need to find a 'd' such that "(s4 - d) % 4 == 0". Since valid values of 'd' are limited in number, after doing a little brute forcing through the char set, we can find our first candidate"s" (there can be multiple ones). For those values, we take separate paths and see which one meets the end.

#### Second step: ####
After finding possible 'd', we try to find 'c' in a similar manner.
3 * (b + 2 * a) == s3 - c [where, s3 == (s4 - d) / 4]
=> b + 2 * a = (s3 - c) / 3
Similar to the first step, hopefully, we will find some valid values of 'c' too. If no character satisfies the requirement "(s3 - c) % 3 == 0", then there is no hope for our path to reach destination, so we must abandon it. Else, we brach down again.

#### Last step: ####
After getting 'd', 'c', 'b', we are down to 'a'. Now, we must match "0 == (s1 - a)"=>"s1 == a". If you design recursive functions, be careful about this part!

Thus works this method. At least it takes a lot less time then blind brute forcing. One thing though, you will have to guess through possible key lengths. My python script starts from 1 and steps up higher. To find a maximum of 7 digit key with my intel celeron 420 1.6 GHz machine, it took (using unix "time" command) -
"
real 0m43.720s
user 0m39.738s
sys 0m0.056s
"
Hopefully I didn't spoil it too much. PM me if you need the python code. BTW, some of you guys didn't even bother about R. E. Is there any other way?

So, I got a valid key. Now what? Social engineering? I tried to connect to their chat service but the 'java applet' is broken. Is it 'that's how it is', or my system is misconfigured?

[HoleSystem]

So, I got a valid key. Now what? Social engineering? I tried to connect to their chat service but the 'java applet' is broken. Is it 'that's how it is', or my system is misconfigured?

No, no and no...

Go wild

Here's what executed my mind.

[arbunklish]

So I have got the a-page, a username and a password. Do I need do plant a cookie in order to get around the 404?

[HoleSystem]

WTF? Log in, man!

[arbunklish]

Done... well, to easy to be true

[Brandon1650]

can anyone make sence of the robots.txt file.